Home > mailing lists

[GENERAL] Logging in Code vs SQL-WHERE was: Row based permissions: at DB or atApplication level? - Mailing list pgsql-general

From	Thomas Güttler
Subject	[GENERAL] Logging in Code vs SQL-WHERE was: Row based permissions: at DB or atApplication level?
Date	August 1, 2017 20:11:35
Msg-id	2c47f971-bbe0-15aa-432c-81812e34267a@thomas-guettler.de Whole thread Raw
In response to	Re: [GENERAL] Row based permissions: at DB or at Application level? (vinny <vinny@xs4all.nl>)
List	pgsql-general

Tree view

I have been thinking about this again.

Doing perm checking in code (I use Python) has the advantage that you can do logging:


def has_perm(item, user):
     if user.is_superuser:
         logger.debug('Access to %s for %s allowed, since user is superuser' % (item, user))
         return True
     if ...:
         logger.debug('Access to %s for %s allowed, since ...' % (item, user))
     logger.debug('Access to %s for %s not allowed.' % (item, user))
     return False


We use this sometimes for debugging. This way I can see why a user is allowed to access an object or not.

This is an argument for permission checking in code.

On the other side I still think perm checking in SQL WHERE has more benefits.

Regards,
   Thomas Güttler





--
Thomas Guettler http://www.thomas-guettler.de/

pgsql-general by date:

From: Tim Uckun
Date: 01 August 2017, 19:29:56
Subject: Re: [GENERAL] Shared Constants in PLPGSQL

From: Tom Lane
Date: 01 August 2017, 20:53:15
Subject: Re: [GENERAL] Not able to create collation on Windows

[GENERAL] Logging in Code vs SQL-WHERE was: Row based permissions: at DB or atApplication level? - Mailing list pgsql-general

Previous

Next